Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade libraries on 23.10.1 #5001

Open
arnaualcazar opened this issue May 16, 2024 · 6 comments
Open

Upgrade libraries on 23.10.1 #5001

arnaualcazar opened this issue May 16, 2024 · 6 comments
Labels
security

Comments

@arnaualcazar
Copy link

Some libraries found in version 23.10.1 do have vulnerabilities. They need to be updated to the following min version:

Affected library Severity Min version needed
org.pf4j/pf4j High 3.10.0
ch.qos.logback/logback-classic High 1.4.14
ch.qos.logback/logback-core High 1.4.14
io.projectreactor.netty:reactor-netty-http High 1.1.13
io.projectreactor.netty/reactor-netty-core High 1.1.13
io.netty:netty-codec-http2 High 4.1.100.Final
org.apache.commons/commons-compress High 1.26.0
com.squareup.okio:okio High 3.4.0
com.google.guava/guava High 32.0.0-jre
io.netty:netty-codec-http2 High 4.1.100.Final
org.eclipse.jgit/org.eclipse.jgit High 6.6.1.202309021850-r
io.grpc/grpc-protobuf High 1.53.0
@bentsherman bentsherman mentioned this issue May 21, 2024
Merged
@arnaualcazar
Copy link
Author

In the merged fix, I see that io.netty:netty-codec-http2 is in version 4.1.86.Final, which has a high severity vulnerability. Weren't you able to upgrade it?

@pditommaso
Copy link
Member

Likely these are deps in the Azure plugin. @bentsherman any clue?

@bentsherman
Copy link
Member

It is not a direct dependency of Nextflow or any core plugin, so it must be a transitive dep. I assumed it would be fixed by upgrading the other packages but I guess not.

What's that gradle command to view the whole dependency tree?

@bentsherman
Copy link
Member

It is a dependency of the azure blob SDK. It is already up to date on 24.04, so you just need to backport this commit: 1bcbaf0

@bentsherman
Copy link
Member

@arnaualcazar was that the only remaining vulnerability?

@arnaualcazar
Copy link
Author

I have performed a more in deep analysis. Adding pending High and critical vulnerabilities along with the paths were are they found.

Affected library Severity Min version needed Filepath
io.projectreactor.netty:reactor-netty-http High 1.1.13 .nextflow/plugins/nf-azure-1.3.3-patch1/lib/reactor-netty-core-1.0.28.jar
io.netty:netty-codec-http2 High 4.1.100.Final .nextflow/plugins/nf-azure-1.3.3-patch1/lib/reactor-netty-http-1.0.28.jar
com.squareup.okio:okio High 3.4.0 .nextflow/plugins/nf-azure-1.3.3-patch1/lib/okio-1.15.0.jar
com.google.guava/guava High 32.0.0-jre .nextflow/plugins/nf-google-1.8.3-patch1/lib/guava-31.1-jre.jar
io.netty:netty-codec-http2 High 4.1.100.Final .nextflow/plugins/nf-amazon-2.1.4-patch1/lib/netty-codec-http2-4.1.86.Final.jar
io.grpc/grpc-protobuf High 1.53.0 .nextflow/plugins/nf-google-1.8.3-patch1/lib/grpc-protobuf-1.52.1.jar

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pditommaso @bentsherman @arnaualcazar